CVE List - 2025 / May
Showing 3801 - 3900 of 3982 CVEs for May 2025 (Page 39 of 40)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-46570 | 2025-05-29 | vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel |
| CVE-2025-46722 | 2025-05-29 | vLLM has a Weakness in MultiModalHasher Image Hashing Implementation |
| CVE-2025-46823 | 2025-05-29 | OpenMRS has Vulnerability in FHIR2 Module Privileges |
| CVE-2025-5323 | 2025-05-29 | fossasia open-event-server Mail Verification mail.py send_email_change_user_email reliance on obfuscation or encryption of security-relevant inputs without integrity checking |
| CVE-2025-5324 | 2025-05-29 | TechPowerUp GPU-Z 0x8000645C IOCTL GPU-Z.sys sub_140001880 memory leak |
| CVE-2025-32752 | 2025-05-29 | Dell ThinOS 2502 and prior contain a Cleartext Storage of Sensitive Information vulnerability. A high privileged attacker with physical access could potentially exploit this vulnerability, leading to Information Disclosure. |
| CVE-2025-48336 | 2025-05-29 | WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability |
| CVE-2025-46701 | 2025-05-29 | Apache Tomcat: Security constraint bypass for CGI scripts |
| CVE-2025-3050 | 2025-05-29 | IBM Db2 denial of service |
| CVE-2025-2518 | 2025-05-29 | IBM Db2 denial of service |
| CVE-2024-49350 | 2025-05-29 | IBM Db2 denial of service |
| CVE-2025-47288 | 2025-05-29 | Discourse Policy plugin private group members visible |
| CVE-2025-47933 | 2025-05-29 | Argo CD allows cross-site scripting on repositories page |
| CVE-2025-5325 | 2025-05-29 | zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 testService special elements used in a template engine |
| CVE-2025-4967 | 2025-05-29 | Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS |
| CVE-2025-5326 | 2025-05-29 | zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 verifyToken deserialization |
| CVE-2025-5327 | 2025-05-29 | chshcms mccms Gf.php index server-side request forgery |
| CVE-2025-5328 | 2025-05-29 | chshcms mccms Backups.php restore_del path traversal |
| CVE-2025-5330 | 2025-05-29 | FreeFloat FTP Server RETR Command buffer overflow |
| CVE-2025-31263 | 2025-05-29 | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to corrupt coprocessor memory. |
| CVE-2025-31189 | 2025-05-29 | A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to break... |
| CVE-2025-31198 | 2025-05-29 | This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A path handling issue was addressed with... |
| CVE-2025-31264 | 2025-05-29 | An authentication issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An attacker with physical access to a... |
| CVE-2025-31199 | 2025-05-29 | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. An app may be able to... |
| CVE-2025-31231 | 2025-05-29 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive location information. |
| CVE-2025-31261 | 2025-05-29 | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access... |
| CVE-2025-30466 | 2025-05-29 | This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. A website may be able... |
| CVE-2025-5331 | 2025-05-29 | PCMan FTP Server NLST Command buffer overflow |
| CVE-2025-5307 | 2025-05-29 | Santesoft Sante DICOM Viewer Pro Out-of-bounds Read |
| CVE-2025-5332 | 2025-05-29 | 1000 Projects Online Notice Board index.php sql injection |
| CVE-2025-1907 | 2025-05-29 | Instantel Micromate Missing Authentication for Critical Function |
| CVE-2025-41438 | 2025-05-29 | Consilium Safety CS5000 Fire Panel Initialization of a Resource with an Insecure Default |
| CVE-2025-46352 | 2025-05-29 | Consilium Safety CS5000 Fire Panel Use of Hard-coded Credentials |
| CVE-2025-44612 | 2025-05-30 | Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and access sensitive information via... |
| CVE-2025-44614 | 2025-05-30 | Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext. |
| CVE-2025-44619 | 2025-05-30 | Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. |
| CVE-2025-44904 | 2025-05-30 | hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5VM_memcpyvv function. |
| CVE-2025-44905 | 2025-05-30 | hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5Z__filter_scaleoffset function. |
| CVE-2025-44906 | 2025-05-30 | jhead v3.08 was discovered to contain a heap-use-after-free via the ProcessFile function at jhead.c. |
| CVE-2025-48757 | 2025-05-30 | An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by... |
| CVE-2020-36846 | 2025-05-30 | IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library |
| CVE-2024-12224 | 2025-05-30 | idna accepts Punycode labels that do not produce any non-ASCII when decoded |
| CVE-2025-47952 | 2025-05-30 | Traefik allows path traversal using url encoding |
| CVE-2025-48068 | 2025-05-30 | Information exposure in Next.js dev server due to lack of origin verification |
| CVE-2025-48381 | 2025-05-30 | CVAT has information disclosure via browsable API |
| CVE-2025-48491 | 2025-05-30 | Project AI API Key Exposure in Source Code |
| CVE-2025-48476 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48477 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48478 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48479 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48480 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48481 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48482 | 2025-05-30 | FreeScout Has Business Logic Errors |
| CVE-2025-48483 | 2025-05-30 | FreeScout Stored XSS leads to CSRF |
| CVE-2025-48484 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48881 | 2025-05-30 | Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users |
| CVE-2025-5259 | 2025-05-30 | Minimal Share Buttons <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter |
| CVE-2025-4659 | 2025-05-30 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure |
| CVE-2025-48490 | 2025-05-30 | Laravel Rest Api has a Search Validation Bypass |
| CVE-2025-41235 | 2025-05-30 | CVE-2025-41235: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies |
| CVE-2025-4429 | 2025-05-30 | WordPress Gearside Developer Dashboard <= 1.0.72 - Reflected XSS |
| CVE-2025-48889 | 2025-05-30 | Gradio Allows Unauthorized File Copy via Path Manipulation |
| CVE-2025-48492 | 2025-05-30 | GetSimple CMS RCE in Edit component |
| CVE-2025-48865 | 2025-05-30 | Fabio allows HTTP clients to manipulate custom headers it adds |
| CVE-2025-48485 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48486 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48487 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48489 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48875 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48880 | 2025-05-30 | FreeScout has Race Condition When Deleting Users |
| CVE-2025-48488 | 2025-05-30 | FreeScout Vulnerable to Stored XSS |
| CVE-2025-48936 | 2025-05-30 | ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection |
| CVE-2025-41385 | 2025-05-30 | An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user. |
| CVE-2025-41406 | 2025-05-30 | Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific operation, an arbitrary script may be executed on... |
| CVE-2025-47697 | 2025-05-30 | Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass authentication and operate the affected device as the moderator user. |
| CVE-2025-4943 | 2025-05-30 | LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter |
| CVE-2025-4431 | 2025-05-30 | Featured Image Plus <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update |
| CVE-2025-5236 | 2025-05-30 | NinjaTeam Chat for Telegram <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via username Parameter |
| CVE-2025-4633 | 2025-05-30 | Default Credentials |
| CVE-2025-4634 | 2025-05-30 | Local File Inclusion |
| CVE-2025-4635 | 2025-05-30 | Remote Code Execution |
| CVE-2025-4636 | 2025-05-30 | Local Privilege Escalation |
| CVE-2025-48912 | 2025-05-30 | Apache Superset: Improper authorization bypass on row level security via SQL Injection |
| CVE-2025-48334 | 2025-05-30 | WordPress Woo Slider Pro <= 1.12 - Arbitrary Content Deletion Vulnerability |
| CVE-2025-5142 | 2025-05-30 | Simple Page Access Restriction <= 1.0.31 - Cross-Site Request Forgery via Multiple Parameters |
| CVE-2025-5235 | 2025-05-30 | OpenSheetMusicDisplay <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter |
| CVE-2025-1763 | 2025-05-30 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2025-4597 | 2025-05-30 | Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion |
| CVE-2025-4944 | 2025-05-30 | LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Compare and Google Maps Widgets |
| CVE-2025-5190 | 2025-05-30 | Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie |
| CVE-2025-4433 | 2025-05-30 | Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation... |
| CVE-2025-40909 | 2025-05-30 | Perl threads have a working directory race condition where file operations may target unintended paths |
| CVE-2025-1484 | 2025-05-30 | A vulnerability exists in the media upload component of the Asset Suite versions listed below. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An... |
| CVE-2025-2500 | 2025-05-30 | A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time... |
| CVE-2025-4598 | 2025-05-30 | Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump |
| CVE-2025-48331 | 2025-05-30 | WordPress WooCommerce Orders & Customers Exporter <= 5.0 - Sensitive Data Exposure Vulnerability |
| CVE-2025-4992 | 2025-05-30 | Stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x |
| CVE-2025-4991 | 2025-05-30 | Stored Cross-site Scripting (XSS) vulnerability affecting 3D Markup in Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x |
| CVE-2025-4990 | 2025-05-30 | Stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x |
| CVE-2025-4989 | 2025-05-30 | Stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x |